Add a TSIG client.

examples/client-transports.rs

@@ -1,5 +1,11 @@
-use domain::base::MessageBuilder;
 /// Using the `domain::net::client` module for sending a query.
+use std::net::{IpAddr, SocketAddr};
+use std::str::FromStr;
+use std::sync::Arc;
+use std::time::Duration;
+use std::vec::Vec;
+
+use domain::base::MessageBuilder;
 use domain::base::Name;
 use domain::base::Rtype;
 use domain::net::client::cache;
@@ -12,9 +18,16 @@ use domain::net::client::request::{
     RequestMessage, RequestMessageMulti, SendRequest,
 };
 use domain::net::client::stream;
-use std::net::{IpAddr, SocketAddr};
-use std::str::FromStr;
-use std::time::Duration;
+
+#[cfg(feature = "tsig")]
+use domain::net::client::request::SendRequestMulti;
+#[cfg(feature = "tsig")]
+use domain::net::client::tsig::{
+    self, AuthenticatedRequestMessage, AuthenticatedRequestMessageMulti,
+};
+#[cfg(feature = "tsig")]
+use domain::tsig::{Algorithm, Key, KeyName};
+
 use tokio::net::TcpStream;
 use tokio::time::timeout;
 use tokio_rustls::rustls::{ClientConfig, RootCertStore};
@@ -224,7 +237,7 @@ async fn main() {
     let reply = request.get_response().await;
     println!("Dgram reply: {reply:?}");
 
-    // Create a single TCP transport connection. This is usefull for a
+    // Create a single TCP transport connection. This is useful for a
     // single request or a small burst of requests.
     let tcp_conn = match TcpStream::connect(server_addr).await {
         Ok(conn) => conn,
@@ -244,13 +257,44 @@ async fn main() {
     });
 
     // Send a request message.
-    let mut request = tcp.send_request(req);
+    let mut request = SendRequest::send_request(&tcp, req.clone());
 
     // Get the reply
     let reply = request.get_response().await;
     println!("TCP reply: {reply:?}");
 
     drop(tcp);
+
+    #[cfg(feature = "tsig")]
+    {
+        let tcp_conn = TcpStream::connect(server_addr).await.unwrap();
+        let (tcp, transport) = stream::Connection::<
+            AuthenticatedRequestMessage<
+                RequestMessage<Vec<u8>>,
+                Arc<domain::tsig::Key>,
+            >,
+            AuthenticatedRequestMessageMulti<
+                RequestMessageMulti<Vec<u8>>,
+                Arc<domain::tsig::Key>,
+            >,
+        >::new(tcp_conn);
+        tokio::spawn(async move {
+            transport.run().await;
+            println!("single TSIG TCP run terminated");
+        });
+
+        let mut msg = MessageBuilder::new_vec();
+        msg.header_mut().set_rd(true);
+        msg.header_mut().set_ad(true);
+        let mut msg = msg.question();
+        msg.push((Name::vec_from_str("example.com").unwrap(), Rtype::AXFR))
+            .unwrap();
+        let req = RequestMessageMulti::new(msg).unwrap();
+
+        do_tsig(tcp.clone(), req).await;
+
+        drop(tcp);
+    }
 }
 
 #[cfg(feature = "unstable-validator")]
@@ -273,9 +317,10 @@ where
     let ta =
         domain::validator::anchor::TrustAnchors::from_reader(anchor_file)
             .unwrap();
-    let vc = std::sync::Arc::new(
-        domain::validator::context::ValidationContext::new(ta, conn.clone()),
-    );
+    let vc = Arc::new(domain::validator::context::ValidationContext::new(
+        ta,
+        conn.clone(),
+    ));
     let val_conn = domain::net::client::validator::Connection::new(conn, vc);
 
     // Send a query message.
@@ -286,3 +331,50 @@ where
     let reply = request.get_response().await;
     println!("Validator reply: {:?}", reply);
 }
+
+#[cfg(feature = "tsig")]
+async fn do_tsig<Octs, SR>(conn: SR, req: RequestMessageMulti<Octs>)
+where
+    Octs: AsRef<[u8]>
+        + Send
+        + Sync
+        + std::fmt::Debug
+        + domain::dep::octseq::Octets
+        + 'static,
+    SR: SendRequestMulti<
+            tsig::AuthenticatedRequestMessageMulti<
+                RequestMessageMulti<Octs>,
+                Arc<Key>,
+            >,
+        > + Send
+        + Sync
+        + 'static,
+{
+    // Create a signing key.
+    let key_name = KeyName::from_str("demo-key").unwrap();
+    let secret = domain::utils::base64::decode::<Vec<u8>>(
+        "zlCZbVJPIhobIs1gJNQfrsS3xCxxsR9pMUrGwG8OgG8=",
+    )
+    .unwrap();
+    let key = Arc::new(
+        Key::new(Algorithm::Sha256, &secret, key_name, None, None).unwrap(),
+    );
+
+    // Create a signing transport. This assumes that the server being
+    // connected to is configured with a key with the same name, algorithm and
+    // secret and to allow that key to be used for the request we are making.
+    let tsig_conn = tsig::Connection::new(Some(key), conn);
+
+    // Send a query message.
+    let mut request = tsig_conn.send_request(req);
+
+    // Get the reply
+    loop {
+        println!("Waiting for signed reply");
+        let reply = request.get_response().await.unwrap();
+        println!("Signed reply: {:?}", reply);
+        if reply.is_none() {
+            break;
+        }
+    }
+}

src/net/client/mod.rs

@@ -23,6 +23,12 @@
 //!   as upstream transports.
 //! * [cache] This is a simple message cache provided as a pass through
 //!   transport. The cache works with any of the other transports.
+#![cfg_attr(feature = "tsig", doc = "* [tsig]:")]
+#![cfg_attr(not(feature = "tsig",), doc = "* tsig:")]
+//!   This is a TSIG request signer and response verifier provided as a
+//!   pass through transport. The tsig transport works with any upstream
+//!   transports so long as they don't modify the message once signed nor
+//!   modify the response before it can be verified.
 #![cfg_attr(feature = "unstable-validator", doc = "* [validator]:")]
 #![cfg_attr(not(feature = "unstable-validator",), doc = "* validator:")]
 //!   This is a DNSSEC validator provided as a pass through transport.
@@ -221,6 +227,8 @@ pub mod protocol;
 pub mod redundant;
 pub mod request;
 pub mod stream;
+#[cfg(feature = "tsig")]
+pub mod tsig;
 #[cfg(feature = "unstable-validator")]
 pub mod validator;
 pub mod validator_test;

src/net/client/request.rs

@@ -758,7 +758,7 @@ impl fmt::Display for Error {
             Error::Dgram(err) => fmt::Display::fmt(err, f),
 
             #[cfg(feature = "unstable-server-transport")]
-            Error::ZoneWrite => write!(f, "zone write error"),
+            Error::ZoneWrite => write!(f, "error writing to zone"),
 
             #[cfg(feature = "tsig")]
             Error::Authentication(err) => fmt::Display::fmt(err, f),
@@ -806,10 +806,10 @@ impl error::Error for Error {
             Error::ZoneWrite => None,
 
             #[cfg(feature = "tsig")]
-            Error::Authentication(err) => Some(err),
+            Error::Authentication(e) => Some(e),
 
             #[cfg(feature = "unstable-validator")]
-            Error::Validation(err) => Some(err),
+            Error::Validation(e) => Some(e),
         }
     }
 }